Always download software from official sites. This obvious tip is not taken up by everyone, as the spread of malware demonstrates StrongPity. The experts of Minerva Labs they found that a new variant was hidden in the installer of the popular application Notepad ++ distributed through third party sites.

StrongPity strikes again

StrongPity (also known as APT-C-41 and PROMETHIUM) is a group of cybercriminals active since 2012 that add backdoors to legitimate software used by specific users, a technique known as watering hole. Kaspersky discovered in 2016 that the malware was hidden in WinRAR and TrueCrypt installers downloaded mainly in Italy and Belgium. Now cybercriminals have taken advantage of the popularity of Notepad ++.

The attack occurs in three stages. The unsuspecting victim downloads and installs the bogus software (but the icon is the original one). The WindowsData in directory is then created C: ProgramData Microsoft. Three files are then copied:

npp.8.1.7.Installer.x64.exe (the original installation file) in C: Users Username AppData Local Temp

(the original installation file) in C: Users Username AppData Local Temp winpickr.exe (an infected file) in C: Windows System32

(an infected file) in C: Windows System32 ntuis32.exe (a keylogger) in C: ProgramData Microsoft WindowsData

The last two files are also run in the background during the installation process. The file winpickr.exe creates the new PickerSrv service (run when the operating system starts) which in turn executes the file ntuis32.exe . The keylogger it then starts saving the pressed keys in various hidden files with extension .tbl . These are copied to the directory C: ProgramData Microsoft WindowsData and subsequently sent to a remote server.

Fortunately StrongPity is detected by almost all antivirus. To avoid problems it is strongly not recommended to download software from unofficial sites. The latest version (8.1.9.3) of Notepad ++ can be downloaded from the developer’s website.